SSL client CA chain cannot be verified (when including CRL)

Hi,
We recently introduced a subordinate CA into our haproxy setup (previously we were using a self signed CA to sign the haproxy and client certs)

For some reason we are seeing “SSL client CA chain cannot be verified” on the haproxy logs when testing with s_client.

On the client side we see:
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

I’m stuck on this issue as the CA chains are identical. They contain both the SubCA and the RootCA. The haproxy and client are both signed by the subca.

[root@proxy ~]# openssl s_client -host proxy -port 11443 -cert cert.pem -key key.pem -CAfile cacert.pem
CONNECTED(00000003)
depth=2 CN = AdminCA, O = ACME, C = US
verify return:1
depth=1 CN = ACMESubCA
verify return:1
depth=0 CN = proxy, O = ACME
verify return:1
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

Certificate chain
0 s:/CN=proxy/O=ACME
i:/CN=ACMESubCA
1 s:/CN=ACMESubCA
i:/CN=AdminCA/O=ACME/C=US
2 s:/CN=AdminCA/O=ACME/C=US
i:/CN=AdminCA/O=ACME/C=US

Server certificate
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
subject=/CN=proxy/O=ACME
issuer=/CN=ACMESubCA

Acceptable client certificate CA names
/CN=ACMESubCA
/CN=AdminCA/O=ACME/C=US
Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 4134 bytes and written 3962 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: A4F5F91B50337BCB74BB7E67AB880B84DF242C6F84FDCBEDBD58746CC40FCB5D5109152D060FC9FCC9331F999611E834
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1473180218
Timeout : 300 (sec)
Verify return code: 0 (ok)

The proxy cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem proxyCert.pem
proxyCert.pem: OK

The client cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem cert.pem
/root/cert.pem: OK

This is only an issue when the CRL from the SubCA is specified.

[root@proy ~]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=ACMESubCA
Last Update: Sep 6 00:03:25 2016 GMT
Next Update: Sep 6 00:03:25 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:F6:23:57:B2:F0:B5:77:2A:B3:B2:EC:AA:A6:11:E5:97:C0:52:03:AA

        X509v3 CRL Number: 
            19

Revoked Certificates:
Serial Number: 308D55C0EC639B8D
Revocation Date: Sep 2 20:19:54 2016 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Privilege Withdrawn

Any help would be much appreciated

Cheers,

Jason

It looks like the CRL file must have the RootCA CRL present also.
Is this the only option in haproxy? So we must download each CRL from each CA in the chain into a crl-file?
Does haproxy support doing this internally? Or OCSP?

I had to script up concatenating the CRLs into a single PEM file… that seemed to work but there wasn’t anything out of the box that I saw to do that.